• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerablity Disclosre

WordPress Update – 4.9.7 Security & Maintenance Release

July 5, 2018Marc-Alexandre MontpasEspanolPortugues

Security Risk: Dangerous

Exploitation Level: Moderately Difficult/Remote

DREAD Score: 6.8/10

Vulnerability: Arbitrary File Deletion

Patched Version: 4.9.7

33
SHARES
FacebookTwitterSubscribe

The WordPress team has just released a critical security and maintenance update to resolve a number of bugs and security issues.

Included in this release is a patch that protects against a vulnerability allowing bad actors to delete files from your site. If certain circumstances are met, this vulnerability may be enough for an attacker to completely take control of your website.

Are You at Risk?

If you don’t have automatic updates enabled or are using WordPress version 4.9.6 or earlier, your site may be vulnerable to this security issue originally reported by Slavco.

Technical Details

As mentioned in the original full disclosure article, the media editor page relies on user input to specify what file to delete when removing an attachment from the site. This may allow bad actors to delete files outside of the uploads directory and potentially take control of your website.

Due to the nature of this editor, this bug can only be exploited by users with file upload privileges Author or higher.

In order to take over a site using this vulnerability, an attacker needs to remove important files from the site’s directory, such as wp-config.php. This would force WordPress to run its installation scripts again, but using the attacker’s information instead.

Update As Soon As Possible

If you are using a vulnerable version of WordPress (4.9.6 or earlier), we encourage you to update your CMS as soon as possible.

In the event that you are unable to update to the latest version, we strongly recommend that you employ the Sucuri Firewall or an equivalent technology to virtually patch the vulnerability.

33
SHARES
FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: Hacked Websites

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

How to Clean a Hacked Website Guide

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.